Iranian Government Goes Phishing?

No, the Iranian government is not looking for a nice catfish. Nor is the Iranian government spending the summer following around everyone’s favorite jam band Phish. Instead, the Iranian government may have been involved in a phishing scam by creating fake website verification certificates that tricked Iranians into providing usernames and passwords to sites like Gmail, Skype, and Facebook. Typically, phishing involves hackers creating a fake website that looks and feels like the real website the user was trying to view and which asks the user to “re-verify” her account by entering in her username and password. The certificates could then be used by a third party with control of the Internet service provider to eavesdrop on supposedly secure online conversations.

The attacks were made possible after hackers compromised DigiNotar, a Dutch company involved in verifying website authenticity. The company issues SSL certificates, which validate that data exchanged with a website is properly encrypted. The attacks were sufficiently severe enough to cause other SSL certificate-issuers to stop issuing new certificates. However, to have achieved the amount of success the Iranians claim (a claimed 300,000 accounts), hackers would likely have needed control of Iranian telecoms, which has generated speculation regarding the Iranian government’s involvement with the attack. However, it should be pointed out that the Iranian hacker claiming responsibility denies any involvement with the Iranian government.

This is not the first time hackers have gained access to dissident and government officials’ Gmail accounts. Chinese hackers, and perhaps the Chinese government, have been involved in repeated phishing incidents in China. After a 2009 Chinese phishing attack, Google moved its mainland Chinese search service to Hong Kong and stopped obeying the Chinese government’s censor requirements. At this time, it is unclear if Google has a similar response planned for the Iranian attacks.